LABYRENTH CTF WINDOWS TRACK CHALLENGE #6

jmprsp

File: Ambrosius.exe

SHA256: 54CB91340DBC073FB303A7D920E26AA1D64F9EE883D6AAE55961A76D5AFF91F4

Packed: No

Architecture: 32Bit

Tools used: exeinfo, IDA Pro

Codes & Binaries: https://github.com/jmprsp/labyrenth/tree/master/Window-Challenge-6

Description: This challenge is written in C. The goal is to find the correct password such that the decrypted string will begins with “PAN{?????

unknown
Figure 1. Unknown EXE?

IDA Pro’s strings list and Import list did not surface any findings….

Scrolling down the codes, the first thing that caught my eyes is a check on PAN{. Perhaps we could work our way up from here.

decrypt
Figure 2. PAN{

Tracing upwards we can assume that a password of length 11 is passed into a decrypt function (0x401425). Analyzing further upwards, we start to see how the password is formed.

password
Figure 3. b00?????

The following are the instructions that built the password string. Note: The challenge uses a shellcode approach to get values/call functions from the system.

Address Instructions Possible Values
0x00401158 MOV BYTE PTR DS:[EAX],62 b
0x0040116A MOV BYTE PTR DS:[EAX+1],30 0
0x00401166 MOV BYTE PTR DS:[EAX+2],30 0
0x0040114B MOV BYTE PTR DS:[EAX+3],21 !
0x00401383 MOV BYTE PTR DS:[ECX+4],DL 0x2d + month
0x0040138F MOV BYTE PTR DS:[ECX+5],DL 0x5e + day
0x004013AB MOV BYTE PTR DS:[ECX+6],DL 0x42 + hour
0x0040132C MOV BYTE PTR DS:[ECX+7],DL A,B,F (Minor Version)
0x00401336 MOV BYTE PTR DS:[ECX+8],DL ?,@,A,B (Major Version)
0x0040139F MOV BYTE PTR DS:[ECX+9],DL i,j (isDebugger)
0x00401152 MOV BYTE PTR DS:[EAX+0A],BL 0x5e + 0xc,0x14,0x00,0x08,0x10,0x04(language)

from the above figure, we know that the password have 4 fixed values out of 11 characters. The remaining 7 characters can be bruteforced.

The lazy way that I used for this challenge is to use a python debugging script and break @ 0x00401425. Once broken into the program, the python script shall overwrite the password with our generated password.

To check if we got the correct password, I placed another breakpoint @0x0040143B (refer to figure 2). If we were to hit this breakpoint, it simply means that we have found the correct password.

I used php to generate the possible password lists and feed it into the python script (refer to GrayHat Python) to test the password on the executable. This approach is definitely not the fastest way to solve the challenge but I think it is the laziest way to do it… =D

generate
Figure 4. Generate passwords

For the python debugging script, I used the sample given by “Grayhat Python”. I simply mod the script to inject generated password and detect if it has found the correct password. =)

mod
Figure 5. modded codes
solved
Figure 5. Yeah flag secured

Probably not the neatness way to solve the challenge… but it works!

FLAG: PAN{th0se_puPP3ts_creeped_m3_out_and_I_h4d_NIGHTMARES}

LABYRENTH CTF WINDOWS TRACK CHALLENGE #6

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s